Car Surveillance Rules Risk Gaps Amid Agencies’ Piecemeal Moves

Federal regulators risk pushback from both courts and consumers as they move to safeguard drivers’ privacy from cars that are collecting an ever-growing array of personal data.

The US Department of Commerce was among the first to consider regulations around in-car data privacy in March when it proposed prohibiting US carmakers from acquiring technology and services “integral” to connected vehicles from entities in China, Russia, Iran, North Korea, Venezuela, and Cuba. The Federal Communications Commission floated rules a month later to help survivors of domestic violence control who can access connectivity features in vehicles.

The Federal Trade Commission and the California Privacy Protection Agency have also told automakers they’re also keeping a close eye on connected cars’ data-privacy practices.

The parallel regulatory efforts could add up to an onslaught of new and complex standards requiring automakers to confront their data-collection habits. In the absence of a national data privacy law, agencies are leaning on their finite authorities to propose niche privacy requirements. Staying in their lanes might be the surest way to survive court challenges following the US Supreme Court ruling in Loper Bright Enterprises v. Raimondo, in which the justices eliminated judicial deference to agency interpretations of unclear laws.

The resulting patchwork of regulations, though, could leave critical blind spots that ultimately fail to address consumers’ growing uneasiness over their cars’ consumption of sensitive information or stem the tide of consumer data-privacy class actions against automakers.

That situation “is problematic,” said Theresa Payton, a former White House Chief Information Officer who now leads Fortalice Solutions LLC. “The more patchwork quilts of laws you have, the more the consumers assume, ‘oh, it’s handled.’”

‘Unique Risk’

Cars with connectivity features collect swaths of data on driving patterns that can identify where people live, work, and frequently travel. Compatibility with phones can share call logs and messages. Car sensors can track people’s eyes and hand movements.

That creates a “big picture about our habits” that automakers have access to, said Emile Ayoub, senior counsel in the Brennan Center for Justice’s Liberty & National Security Program.

Fast-evolving artificial intelligence models are compounding consumer’s fears, he added, by enabling companies to make more inferences and create even more detailed profiles of drivers. All that stands in their way, as of now, are their own privacy policies.

More than 75% of carmakers surveyed in a 2023 Mozilla study revealed their privacy norms allow them to sell user data to third-parties. More than half said they’re permitted to share the information with law enforcement or government officials.

That willingness creates a “unique risk of government agencies purchasing data from those companies and side-stepping Fourth Amendment protections,” Ayoub said.

Consumer lawsuits have already accused major automakers of collecting data—including drivers’ precise locations, driving history, and behavior behind the wheel—and sharing it with third parties.

Texas sued General Motors Co. and OnStar LLC in August, accusing the companies of selling drivers’ data to insurance companies without their consent. Insurers used the data to make decisions such as monthly premium increases and coverage denials, Texas Attorney General Ken Paxton said.

For drivers, it can be hard to learn exactly what their car knows about them, said Andrea Amico, founder of Privacy4Cars. His group’s research has found that drivers wanting to understand their cars’ handbooks—assuming companies’ data practices are “well-disclosed”—would face about “five and a half hours of reading.”

Post-Chevron Challenges

Agencies carving out their own niches in regulating connected cars is the latest example of the broader ongoing fight for control over privacy and security regulations, said Matthew Baker, who leads the privacy and cybersecurity practice at Baker Botts LLP.

With agency power now under a microscope after Loper Bright, piecemeal regulations to emerging issues may become the standard way forward.

“We’re already seeing it, right?” Baker said. “With the FCC and the Department of Commerce leaning on their current statutory authority to enact rulemaking within their authority, and that’s why you’re going to see the patchwork that’s occurring around it.”

The Commerce Department’s Bureau of Industry and Security is focusing on national security protections for US automotive supply chains from foreign adversaries, pointing to statutory authorities that “empower us to examine, and, if necessary, prohibit, technologies coming into the United States when sourced from entities connected to foreign adversaries,” an agency spokesperson said.

International meddling in car technology could “present a grave risk to national security” given adversaries’ potential access to “Americans’ most sensitive data,” a Commerce Department spokesperson told Bloomberg Law.

Meanwhile, the FCC is evaluating how to stretch its existing protections for survivors of domestic violence from cellphone carriers to connected cars. The agency has been gathering feedback about the “best way” to utilize its “authority and expertise” under the Safe Connections Act to protect survivors of domestic violence, an FCC spokesperson told Bloomberg Law.

In June comments to the FCC, the Alliance for Automotive Innovation pushed back on the agency’s authority. The lobbying group for the automotive industry wrote the act cited in the rulemaking “does not authorize the FCC to promulgate privacy and data protection regulations” for automakers.

Both the Commerce Department and the FCC said they’re coordinating with different stakeholders, including fellow agencies.

Blind Spots

Federal privacy legislation could help alleviate the current complexity by clarifying companies’ compliance responsibilities and consumers’ rights, said Adonne Washington, policy counsel for data, mobility, and location with the Future of Privacy Forum.

Congressional action could also sort out the roles of states and federal agencies. But the prospects for any comprehensive federal bill are uncertain at best.

The resulting data privacy “patchwork quilt is something really new to car industries who really were looking at the federal level for many years, but now have to deal with state regulation as well,” said Hinshaw & Culbertson LLP partner Cathy Mulrow-Peattie.

But without a national standard, the regulatory push and consumer-led litigation automakers face will continue on “different tracks,” Baker said. Agencies will keep focusing on their regulatory niches, while litigation will likely remain centered around consumers’ fears that their driving data is being shared and sold to data brokers and others without their consent.

The lack of transparency surrounding data collection, coupled with piecemeal consumer protections and outdated approaches to privacy, ultimately resulted in car companies falling “to the wayside” and escaping actionable regulation, he said.

“They’ve slipped through the gaps, just like so much of our data that permeates online,” Ayoub said.

Still, data brokers could soon be reined in.

The FTC in 2022 launcheda rulemaking to address the data-broker economy, noting the large swaths of data harvested by companies now amounts to what the FTC calls “commercial surveillance.”

The agency warned car manufacturers earlier this year it “will take action to protect consumers against the illegal collection, use, and disclosure of their personal data.”

“Connected cars have been on the FTC’s radar for years,” the FTC said in a May blog post urging automakers to tread lightly in the data space. The “easiest way” to avoid harming consumers by sharing data is by “simply not collecting it in the first place.”